Module Name: src
Committed By: kamil
Date: Fri Oct 4 14:17:08 UTC 2019
Modified Files:
src/sys/kern: subr_time.c
Log Message:
Avoid signed integer overflow in ts2timo() for ts->tv_nsec
The condition would be rechecked later again after subtracting start time
and most invalid inputs rejected. In corner cases the current code can
accept certain invalid inputs that will pass checks later and behave like
valid ones (due to signed integer overflow).
Reported-by: syzbot+3a4a07b62558bbbd3...@syzkaller.appspotmail.com
To generate a diff of this commit:
cvs rdiff -u -r1.20 -r1.21 src/sys/kern/subr_time.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/subr_time.c
diff -u src/sys/kern/subr_time.c:1.20 src/sys/kern/subr_time.c:1.21
--- src/sys/kern/subr_time.c:1.20 Fri Dec 8 01:19:29 2017
+++ src/sys/kern/subr_time.c Fri Oct 4 14:17:07 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: subr_time.c,v 1.20 2017/12/08 01:19:29 christos Exp $ */
+/* $NetBSD: subr_time.c,v 1.21 2019/10/04 14:17:07 kamil Exp $ */
/*
* Copyright (c) 1982, 1986, 1989, 1993
@@ -33,7 +33,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: subr_time.c,v 1.20 2017/12/08 01:19:29 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: subr_time.c,v 1.21 2019/10/04 14:17:07 kamil Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
@@ -329,6 +329,9 @@ ts2timo(clockid_t clock_id, int flags, s
int error;
struct timespec tsd;
+ if (ts->tv_nsec < 0 || ts->tv_nsec >= 1000000000L)
+ return EINVAL;
+
flags &= TIMER_ABSTIME;
if (start == NULL)
start = &tsd;
